The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker.

In early July, three researchers found a way to execute code (http://www.securityfocus.com/bid/24837/info) in Firefox - and potentially other Windows programs - by passing it a malicious uniform resource identifier (URI) from Internet Explorer.

The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued (http://www.securityfocus.com/brief/551) that IE should validate the URI before passing it along to another program, while Microsoft stated (http://msdn2.microsoft.com/en-us/library/aa767914.aspx) that input validation is the responsibility of the receiving program.

Over the weekend, another researcher discovered (http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx) that Mozilla Firefox has the same security issue. The Mozilla Foundation acknowledged the problem on Monday.

"We thought this was just a problem with IE," Mozilla's chief security officer Window Snyder said in a blog post (http://blog.mozilla.com/security/2007/07/23/related-security-issue-in-url-protocol-handling-on-windows/). "It turns out, it is a problem with Firefox as well."

In the latest versions of their products, Microsoft and the Mozilla Foundation have focused on security. In Internet Explorer 7, Microsoft added (http://www.securityfocus.com/brief/333) anti-phishing features, the ability to run in protected mode on its latest operating system, Windows Vista, and severely culled problematic ActiveX controls. In Firefox 2.0, the Mozilla Foundation also added anti-phishing features (http://www.securityfocus.com/brief/337) and the ability to clear private data.

Mozilla is now looking into the issue to determine its response to the problem.

This article originally appeared in Security Focus (http://www.securityfocus.com/brief/553).

Copyright © 2007, SecurityFocus (http://www.securityfocus.com/)

Related stories

Thumb twiddling Mozilla promises fix for privacy-biting bug (19 November 2007)
http://www.channelregister.co.uk/2007/11/19/upcoming_firefox_patch/
Microsoft sics worldwide braintrust on XP vuln (26 October 2007)
http://www.theregister.co.uk/2007/10/26/microsoft_scrambles_to_fix_windows/
Researcher releases unofficial IE fix for URI bug (16 October 2007)
http://www.channelregister.co.uk/2007/10/16/unofficial_uri_windows_fix/
After months of denial, Microsoft cops to IE vulnerability (12 October 2007)
http://www.channelregister.co.uk/2007/10/12/microsoft_uri_reversal/
Making open-source browsing safe for the masses (2 August 2007)
http://www.channelregister.co.uk/2007/08/02/window_snyder_interview/
Firefox lances IE bug (18 July 2007)
http://www.channelregister.co.uk/2007/07/18/firefox_ie_security_bug/
Apple plugs holes in new Safari beta (14 June 2007)
http://www.channelregister.co.uk/2007/06/14/safari_holes_plugged/
Security researchers poke holes in Safari (12 June 2007)
http://www.channelregister.co.uk/2007/06/12/safari_security_bugs/
Flaws galore in IE and Firefox (5 June 2007)
http://www.channelregister.co.uk/2007/06/05/browser_vulns_identified/
Torrent overflows Opera (23 May 2007)
http://www.channelregister.co.uk/2007/05/23/opera_torrent_bug/
Safari zero-day exploit nets $10,000 prize (20 April 2007)
http://www.channelregister.co.uk/2007/04/20/pwn-2-own_winner/